             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                     Oracle9i User Privileges Vulnerability
                          [Oracle Security Alert #33]

April 23, 2002 22:00 GMT                                          Number M-071
______________________________________________________________________________
PROBLEM:       A potential security vulnerability has been discovered in 
               Oracle9i database server. It is possible to create a user 
               defined in the Oracle9i database server with limited privileges 
               who can potentially access privileged data using SQL syntax for 
               outer joins. 
PLATFORM:      All platforms using Oracle9i Database, Release 9.0.1.x. 
DAMAGE:        A knowledgeable and malicious user may gain unauthorized access 
               to data in Oracle9i database server. 
SOLUTION:      Apply the patch supplied by vendor. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. A user account defined in the Oracle9i 
ASSESSMENT:    database is required to exploit this vulnerability. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-071.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf 
______________________________________________________________________________

[***** Start Oracle Security Alert #33 *****]

Oracle Security Alert #33
Dated: 17 April 2002

User Privileges Vulnerability in Oracle9i Database Server

Description
A potential security vulnerability has been discovered in Oracle9i database 
server. It is possible to create a user defined in the Oracle9i database 
server with limited privileges who can potentially access privileged data 
using SQL syntax for outer joins. As such, a knowledgeable and malicious
user can gain unauthorized access to data in Oracle9i database server.

None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7 
database server release is affected by this vulnerability.

Products affected
Oracle9i Database, Release 9.0.1.x, only

Platforms affected
All

Workarounds
There are no workarounds to protect against this potential vulnerability.

Patch Information
Oracle has fixed the potential vulnerability identified above in the 
upcoming Oracle Database server release, Oracle9i, Release 2. Patches 
with the base bug fix number, 2121935, are being made available only for 
supported releases of Oracle9i, Releases 9.0.1.x, database server on all
supported platforms.

Download currently available patches for your platform from Oracle’ s 
Worldwide Support web site, Metalink, http://metalink.oracle.com. Activate 
the "Patches" button to get to the patches Web page. Enter the base bug fix 
number indicated above and activate the "Submit" button.

Please check with Metalink or Oracle Worldwide Support Services periodically 
for patch availability if the patch for your platform is not yet available.

IMPORTANT NOTE: If any view in the Oracle9i database server was created 
before application of your patch, re-compile all views including string 
'JOIN' (as user SYS) immediately after application of your patch.

Oracle strongly recommends that you comprehensively test the stability of 
your system upon application of any patch prior to deleting any of the 
original file(s) that are replaced by the patch.

[***** End Oracle Security Alert #33 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Oracle Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities
M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities
M-068: Microsoft IE and Office for Macintosh Vulnerabilities
M-069: Microsoft SQL Server Unchecked Buffer Vulnerabilities
CIACTech02-003: Protecting Office for Mac X Antipiracy Server Ports
M-070: Apache HTTP Server on Win32 Vulnerability